universalviewer icon indicating copy to clipboard operation
universalviewer copied to clipboard
verified publisher icon UniversalViewer

UV should not change localhost or loopback addresses of manifests from HTTP to HTTPS

Open jronallo opened this issue 7 years ago • 3 comments

UV version: 3.0.16

I'm submitting a:

  • [x] bug report
  • [ ] feature request => please use the user stories repo
  • [ ] support request => Please do not submit support requests here, use stackoverflow

Current behavior: If UV is loaded via HTTPS then it converts HTTP localhost and loopback addresses for manifests to HTTP. In some development and workshop scenarios this will cause the manifest to fail to load due to mixed content errors.

Expected behavior: The HTTP localhost and loopback addresses should be left alone (at least for an initial request) as browsers may treat them specially and allow the mixed content. This will allow developers to test localhost manifests on HTTPS pages.

I'd like to serve some workshop materials that use UV over HTTPS but the workshop relies on users spinning up a simple HTTP-only local web server like Web Server for Chrome to serve manifests and other files. This bug prevents users from seeing their results on an HTTPS site which means sticking with HTTP until this is resolved.

Steps to reproduce: works HTTP/HTTPS: http://ronallo.com/iiif-workshop-new/viewers/uv/uv.html#?manifest=https://d.lib.ncsu.edu/collections/catalog/nubian-message-2003-04-01/manifest

works HTTPS/HTTPS: https://ronallo.com/iiif-workshop-new/viewers/uv/uv.html#?manifest=https://d.lib.ncsu.edu/collections/catalog/nubian-message-2003-04-01/manifest

works HTTP/HTTP: http://ronallo.com/iiif-workshop-new/viewers/uv/uv.html#?manifest=http://127.0.0.1:3000/manifest.json

doesn't work HTTPS/HTTP: https://ronallo.com/iiif-workshop-new/viewers/uv/uv.html#?manifest=http://127.0.0.1:3000/manifest.json The URL of the manifest gets changed to https://127.0.0.1:3000/manifest.json based on looking at the network console, but the manifest is only available at http://127.0.0.1:3000/manifest.json.

While that's good to try the manifest on an HTTPS URL for remote URLs, it should not try to change localhost URLs like the following:

http://localhost http://localhost:3000 http://127.0.0.1 http://127.0.0.1:3000

Other information: Note also that Chrome and Firefox differ in their behavior. If you want to be really nice on HTTPS pages with a HTTP URL pointint to localhost, UV will try both localhost first and then try the 127.0.0.1 address as well.

See the notes here for how Chrome and Firefox differ: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content

Basically Firefox implements the spec more strictly than Chrome. See: https://www.w3.org/TR/secure-contexts/#localhost

jronallo avatar May 14 '18 23:05 jronallo

Adding this to the next community call agenda.

edsilv avatar Aug 11 '18 10:08 edsilv

All issues will be triaged for further investigation or closure by the 28 September 2023. If your issue is still relevant and would like for it be investigated further please comment by 14 September 2023.

LlGC-szw avatar Aug 25 '23 11:08 LlGC-szw

@edsilv, any idea if this is still an issue? I'll mark as ACTIVE until we can confirm.

demiankatz avatar Nov 15 '23 16:11 demiankatz